The CPS 230 value opportunity: How Australian insurers can turn compliance into confidence

CPS 230 isn't a burden - it's a blueprint

That's one of the core messages running through Drova's Insurance Outlook Report 2026, a national pulse-check on how Australian insurers are responding to the risks, regulations and shifts reshaping the sector.

Through candid conversations with CROs, CEOs, and brokers, the report finds early movers are using APRA's CPS 230 Operational Risk Management standard to build faster reporting cycles, fewer incidents, and stronger regulator trust.

"CPS 230 has sharpened our focus on formalising clear ownership and accountability for our critical operations," says Andrea Gardiner, Chief Risk Officer and General Counsel at ADICA. "It's about proving continuity, not just having a policy that says you can."

From policy to proof

For the first time, boards must demonstrate operational resilience, not just document it. CPS 230 requires insurers to define their critical operations, set impact tolerances, and ensure those tolerances hold - across internal systems and third-party providers alike.

"The regulatory risks we face are largely about not being able to demonstrate resilience," says Pally Bargri, CRO at Avant Mutual. "We know we're going to hit potholes, that there are going to be bumps. The question becomes, how do you ensure continuity? How does the car keep going and not get stuck in that pothole?"

This shift from assurance on paper to evidence in practice is the real turning point. Resilience, in other words, must be lived - not laminated.

The era of scrutiny

The timing could not be sharper. Insurers are operating under growing regulatory, reputational, and operational pressure.

In the 2024-25 financial year, 34,000 general insurance complaints were lodged with AFCA, up 17 percent from the year prior. System outages and service delays - from the July 2024 CrowdStrike incident to regional network failures - have highlighted how exposed even mature institutions can be when third-party resilience falters.

"The focus of this standard is less about meeting compliance and more about demonstrating how the business understands its risk context, knows its supply chains and prepares for disruption," says Naomi Feast, CRO at the Medical Indemnity Protection Society. "There's also a growing expectation for real-time views of risk profiles reported to the Board."

The regulator's intention is unmistakable: resilience should not live in a document. It should be visible in decision-making, technology choices, and board oversight.

Governance in motion

CPS 230 has effectively redrawn the map of responsibility inside insurers. What was once operational risk management is now a board-level discipline.

"The most challenging Board-level discussion has been around setting appropriate tolerance levels and assessing whether we could realistically meet them in a disruption," Gardiner explains. "We developed methodologies to help define and validate those tolerance levels using historical incidents as reference points."

This governance elevation is changing the tone of risk conversations. The second line is no longer a control function; it's a driver of strategic clarity.

"The role of risk management has evolved significantly," Gardiner adds. "Teams are no longer just gatekeepers of compliance - risk assurance now plays a critical part in overall management."

The result is greater alignment between resilience strategy and business ambition. CPS 230, for all its administrative weight, has made resilience measurable.

The mindset shift required: Adaptability over prediction

For years, risk management revolved around prediction - mapping what might happen. That mindset is giving way to one of adaptability and continuous readiness.

"One of the biggest drivers of change used to be prediction, but that has now shifted to adaptability," says Nigel Fellowes-Freeman, CEO and Founder of Kanopi Cover. "The most important thing in achieving resilience is having systems, processes, and risk appetites that can adapt very quickly to changing risks."

CPS 230 is a forcing function for this agility. By requiring live testing, cross-functional resilience plans, and scenario drills, it pushes insurers to operate in a state of readiness rather than reaction.

Third-party risk rewired

The most operationally complex change lies in how insurers manage service providers. Under CPS 230, outsourced functions are no longer "external"; they are part of the resilience perimeter.

"Governance over suppliers used to be a separate function," explains Bargri. "We've moved it into the second line of defence, so third-party risk and resilience run together. That's been instrumental in implementing CPS 230 with minimal disruption."

That integration has proved pivotal. By embedding supplier oversight into risk, insurers like Avant Mutual can trace dependencies across their entire ecosystem - from IT vendors to outsourced claims teams - and test them as one network.

It's the kind of structural maturity the regulator wants to see replicated. Bargri notes that CPS 230 isn't a big leap if suppliers and resilience were already managed well - it simply formalises good governance.

Innovation through compliance

For emerging players, CPS 230 is defining a new baseline for credibility.

"CPS 230 certainly adds to the forces driving market consolidation that we're seeing, but overall we welcome the changes," says Simon O'Dell, Partner and Director at Insurtech Gateway. "Regulatory shifts like CPS 230 are directly shaping how we assess and support early-stage regulated businesses."

O'Dell's firm now embeds risk and compliance frameworks from day one. "We hold the hand early," he says, "then step back as they mature."

It's a discipline-first approach that protects growth rather than constrains it. In O'Dell's words, "The best founders understand regulation has a purpose - it protects customers and markets. They see compliance not as a constraint but as a design parameter."

Compliance as competitive advantage

The narrative is shifting across the sector. APRA's 2025 Stakeholder Survey found that most regulated entities now view supervision as beneficial, not burdensome - improving both governance and risk management.

In practice, the same evidence generated for compliance - resilience testing, continuity maps, tolerance tracking - is becoming an asset in boardrooms, reinsurance negotiations, and investor briefings.

"Boards and executive teams are increasingly adopting the concept of 'resilience' as a strategic capability," says Rhys James, Principal of Corporate & Specialty at PSC Insurance Brokers. "Sophisticated organisations can no longer merely react to risk - they must develop strategies and design resilience into their organisation."

James believes the resilience signal now carries weight beyond the regulator. "Operational resilience is becoming a commercial imperative," he adds. "Those who apply the principle beyond compliance - to strategy, governance, and culture - will see long-term value creation."

From burden to blueprint

Drova's Insurance Outlook Report 2026 summarises the shift succinctly: CPS 230 is an operating model upgrade, not a hurdle.

The report identifies five practical priorities for turning compliance into confidence:

1. Clarify what's critical - Map operations and Board-approved tolerances.
2. Own outsourced risk - Treat vendors as extensions of the enterprise.
3. Bring risk into strategy - Integrate resilience into growth decisions.
4. Build on compliant infrastructure - Choose systems that embed CPS 230 and CPS 234 controls.
5. Right-size the response - Strengthen where it matters most.

Insurers following this playbook are already seeing measurable results: shorter reporting cycles, faster recovery from incidents, and fewer compliance bottlenecks.

Confidence as currency

CPS 230 has redefined what it means to be a resilient insurer. It's no longer about survival; it's about proof - evidence that business can withstand, recover, and continue to serve customers even when disruption strikes.

That alignment is the real value opportunity of 2026: turning scrutiny into strength, and compliance into confidence.

Learn more about maximising the value of CPS 230 compliance with Drova here.